MSE News: 'Super-complaint' submitted over protection for bank transfer scam victims

mt99

Can't remember the last time I had to use documents, fraudulent or otherwise, to open an account. All the ID checks and credit checks are done behind the scenes. Obviously some are not good enough.

JuicyJesus

mt99 wrote: »

Can't remember the last time I had to use documents, fraudulent or otherwise, to open an account. All the ID checks and credit checks are done behind the scenes. Obviously some are not good enough.

How would you do it then? Seeing as you have all the answers and the people that actually run the banks don't do it right according to you. Please, do tell us.

GingerFurball_2

mt99 wrote: »

Can't remember the last time I had to use documents, fraudulent or otherwise, to open an account. All the ID checks and credit checks are done behind the scenes. Obviously some are not good enough.

You're checked against credit reference agencies and against ID databases like the electoral roll. If there's any sort of discrepancy you need to go into the branch to provide your documents in person (at least, that's how it's worked with every bank I've been with)

To fraudulently open an account online I would either need to commit identity theft and intercept someone's post when cards etc get sent out or somehow have created a false profile for myself on experian etc to pass all the checks. Or get myself a false passport.

Cornucopia

JuicyJesus wrote: »

What a brilliant idea, if only it wasn't the case that fraudsters opening bank accounts did so deliberately to try and appear like normal customers and therefore undetectable; this idea will reduce all fraud to nil overnight if they just don't open accounts for fraudsters, possibly after they've invented a machine that can see the future or works like the thing in Minority Report.

Yes, of course. The issue is that whatever the Banks are doing to prevent people fraudulently opening accounts, it isn't working. That's a problem for THEM to resolve. Nothing I can do as a customer can prevent my Bank from opening accounts for scammers, only they can do that.

That's a brilliant idea except for them not having the information and it being a breach of data protection to give it out.

It isn't a breach of anything, if its either given out by consent or as a condition of the Ts & Cs of the account. Maybe it isn't the whole name, but selected characters from it?

Here's a fun scenario: ex-husband is required to make child support payment...

In which case the partner withholds consent.

Wow that's so clever it's not like they wouldn't have verified you either so you could be basically anyone but they're still giving you bits of the secret word.

There isn't really any need for a Bank->Customer secret password. The protocol should be that the Bank never calls the Customer and asks for secure information. Unfortunately, the Banks do make such calls (I had one a few weeks ago), so THEY need to think through how to approach this in a secure manner.

The most obvious way is some kind of double-blind exchange of information, although I accept that the more complicated it is, the more likely it is that some customers will not understand it.

A double-blind exchange is one where no information is disclosed on a potentially insecure communications route, but instead references to information are given that require both parties to hold valid secure info in order to prove that the dialog is secure.

It works like this:-

Bank: Hello, this is Bob from Bracley's Bank. is that Mr. Cornucopia?
You: Yes.
Bank: We need to speak to you about your account, but we need you to be sure you are speaking to the Bank and not receiving a phishing call.
You: Okay.
Bank: Please look on the back of your Debit card.
You: Okay.
Bank: Your CVV number is printed there, it has 3 digits. I'm not going to say what digits 2 & 3 are, but if you count those number of places into your Account Password, the letters are Q and B. Please confirm for me that that is correct?
You: Yes.
Bank: Okay, now we will go through standard security.

...scammers are very persuasive and will say or do anything to ensure compliance, including asking the scammee to lie about what they're doing or ignore plain as day indications that something is wrong. That's how they succeed. How is that anyone's fault except the scammer and anyone willing to go along with obvious nonsense?

I am prepared to give some credence to that argument as it applies to a typical person in the street. However, the Banks serve the whole of society including people who are particularly vulnerable to scams, and I think that they owe those people a duty of care. Even now, simple pieces of relevant information ("Bank transfers can be untraceable and irreversible") are not being provided on the BT screens of online banking. Why not?

I would be more than happy for additional scam protection to be an opt-in service, so that people who want the "fire & forget" aspect of the present system can continue to have it.

GingerFurball_2

Having actually read the body of the Which complaint properly, it is complete nonsense and I'll be amazed if the complaint succeeds, because some of the key assertions made in the complaint are simply not true.

For instance, the comparison to debit card payments is erroneous. There is no legal right to recover a card payment from your bank if you've fallen victim to a scam. You have the right to raise a chargeback, but the merchant can defend this. Likewise, their claim that banks only bother to come up with systems to protect payments where the bank is liable is also demonstrably untrue.

Customers are protected for bank transfer fraud where there has been no direct customer involvement.

karasnikof

Ok. Let's make this "go viral". For some time I have had a solution to fraudsters ringing you, claiming to be your bank.
MY SOLUTION WILL BE CALLED THE "karasnikof solution".
You currently have a password which the bank will ask you for (or characters from that password) to verify it is really you. Call this "my password". What I have asked the banks to do (on many occasions) is to a store a password that I give to them. Call this the "bank's password". When they call me I can say to them "So I know it is really my bank calling, what is the 2nd, 4th and 8th letters from the password I have given you - the bank's password". If they can't tell me the answer, I know it is a fraudster. Of course, my password and the bank's password should be different. Problem solved!!!
MARTIN -WHY DON'T YOU PUSH THIS SOLUTION TO THE BANK'S, PLEASE?

colsten

The problem with the "karasnikof solution" is that you assume everyone would remember that they must ask their bank for identification. Those that can be talked into sending thousands or tens of thousands on the say-so of a telephone scammer will easily be talked out of the need for it in an "emergency".

For instance, "the bank" could say their password store has been hacked, and that was one of the reasons that the money needs to be transferred immediately, without that security step. The gullible fools would fall for anything.

colsten

Has anyone seen any statistics relating to these scams? I.e. how many people have been scammed? What are characteristics of those scammed (age, gender, relationship status, post code etc)? What amounts were involved? What are the timescales involved (how many scams over what months, when are calls/transfers being made etc)? How many scammers have been caught? Which banks are affected? Etc etc

Cornucopia

It's important to understand just how devious and brazen the scammers can be.

I'd always thought that my two online accounts were very secure because they both require a further, third security check before allowing a new payment instruction to be created for a recipient not previously used.

But, I heard about a scam that works around this. It involves the scammers making a payment using an existing payee, and then contacting that payee and scamming them into returning your money to the Scammer's bank account. Much more complicated and less certain to be successful, but ingenious and showing a level of commitment to the fraud that most people would probably never expect.

Unfortunately, if the BACS system is not going to be re-engineered to be more traceable and more reversible, then the only other option will be to place greater restrictions upon banking transaction at source, limiting the amounts of money that can be associated with particular types of transaction without even more security checks.

Personally, I would quite like the option of placing maximum transaction size limits per payee on my accounts, and I would be happy for those limits to have uber-security on them, including even time-based and demographic protections. (Assuming that victims of fraud can be associated with particular demographics).

colsten

Cornucopia wrote: »

But, I heard about a scam that works around this. It involves the scammers making a payment using an existing payee, and then contacting that payee and scamming them into returning your money to the Scammer's bank account.

My understanding is we are already covered for those cases - provided we can prove that we were not negligent with the access data for our accounts.